On May 23, 2024, the European Data Protection Board (EDPB) issued a report on the work done by the ChatGPT Taskforce. While the report is not guidance in the form typically issued by the EDPB, it serves as de facto guidance for how AI programs might be evaluated for GDPR compliance going forward. The underlying question is whether ChatGPT is being unfairly scrutinized by authorities because of its popularity as a Large Language Model (LLM) AI.
|
In February 2024, the FTC created a new Office of Technology to “strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace,” including to “strengthen and support law enforcement investigations and actions.”
In its latest Privacy and Data Security Update released on March 28, 2024 (covering the time period of January 2021 through December 2023), the FTC underscored its work on issues related to artificial intelligence (AI), health data, geolocation tracking, children and teens’ data, data security, credit reporting and financial privacy, as well as spam calls and emails. The FTC also noted its consistent call on Congress to restore its ability under Section 13(b) of the FTC Act to seek monetary relief, including consumer refunds, in federal court, and to pass comprehensive privacy legislation.
| |
In 2018, Singapore’s Cybersecurity Act established a strong legal framework for the oversight and maintenance of cybersecurity by the Cyber Security Agency of Singapore (CSA). The Cybersecurity Act is separate from Singapore’s Personal Data Protection Act, which is the principal legislation that governs the collection, use, and disclosure of individuals’ personal information by businesses.
The Cybersecurity Act applies specifically to owners and operators of critical information infrastructures, requiring such entities to comply with certain standards and policies, conduct audits and risks assessments, and implement incident reporting measures.
Reckoning with a constantly evolving cyber threat landscape and seeking to ensure adequate protections as critical information infrastructure operators shift towards cloud-based operations, the CSA passed the Cybersecurity (Amendment) Act (the “Amendments”) on May 7, 2024. The Amendments reinterpret how critical information infrastructure is defined, identified, and secured, and aims to address the diverse range of cybersecurity threats in Singapore’s vast digital economy.
| |
On May 10, 2024, Vermont’s House and Senate released an unofficial 105-page version of Bill H.121, and it’s already making waves. Coming in close second to California’s Consumer Privacy Protection Act & California Privacy Rights Act, the unofficial Vermont Data Privacy Act is robust. The bill aims to combat the aggressive data-gathering economy and the use of addictive algorithms by various social media platforms targeting children. As it awaits Governor Phil Scott’s signature, let’s delve into some of its key provisions and implications. | |
LEGISLATIVE & REGULATORY UPDATE | | |
|
Vietnam: Decree 13 and the New Regulations on Personal Data Protection
The Library of Law
"The Vietnamese government has issued long-awaited Decree No.13/2023/ND-CP on Personal Data Protection (Decree 13). This is Vietnam’s first-ever comprehensive legal document regulating personal data protection. Released on April 13, 2023, wit provides new requirements for collecting and processing personal data. Decree 13 will take effect on July 1, 2023."
| | |
|
Illinois Senate Advances Changes to State’s Biometric Privacy Law After Business Groups Split
Capitol News Illinois
"It’s been more than a year since the Illinois Supreme Court “respectfully suggest(ed)” state lawmakers clarify a law that’s led to several multi-million-dollar settlements with tech companies over the collection of Illinoisans’ biometric data.
On Thursday, a bipartisan majority in the Illinois Senate did just that, approving the first major change to Illinois’ Biometric Information Privacy Act since it was originally passed in 2008."
| | |
|
Ransomware Attack on Seattle Public Library Knocks Out Online Systems
The Record
"A ransomware attack on the Seattle Public Library has brought services to a halt — knocking out the wireless network, computers for staff and patrons, and the entire online catalog."
| | |
|
Hackers Claim Ticketmaster/Live Nation Data Breach, More Than 500m Compromised
Cyber Daily
"The ShinyHunters hacking group has shared the details of an alleged hack of Ticketmaster and Live Nation and is selling the data for a one-time price of US$500,000."
| | |
|
Merrill Lynch Data Breach Exposes Walmart Employees' 401(k) Data
Business Insurance
"A data breach at Merrill Lynch exposed the personal information of 1,883 Walmart employees enrolled in the company's 401(k) retirement plan, including names and Social Security numbers, 401K Specialist reports.
The breach, caused by an employee's email error, was discovered on April 22, and affected individuals were notified on May 23."
| | |
|
First American December Data Breach Impacts 44,000 People
Bleeping Computer
"First American Financial Corporation, the second-largest title insurance company in the United States, revealed Tuesday that a December cyberattack led to a breach impacting 44,000 individuals."
| | |
|
Christie’s Confirms Breach After RansomHub Threatens to Leak Data
Bleeping Computer
"Christie's confirmed that it suffered a security incident earlier this month after the RansomHub extortion gang claimed responsibility and threatened to leak stolen data."
| | |
|
Sav-Rx Discloses Data Breach Impacting 2.8 Million Americans
Bleeping Computer
"Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack."
| | |
PrivacyCafé: Navigating AI in Health Care with Rachel Stuve, Elevance Health
HBS
In this episode of PrivacyCafé, Richard Sheinis and Jade Davis invite guest Rachel Stuve, Senior Director at Elevance Health, to share her journey in data science and artificial intelligece, particularly in the health care sector. Rachel explores how AI is used, the best strategies for integrating AI, and the challenges and opportunities in adopting AI in health care and business.
|
| |
Richard Sheinis
Rich is a Certified Information Privacy Professional (CIPP-US) and a Certified Information Privacy Technologist (CIPT) through the International Association of Privacy Professionals (IAPP). He works with companies to investigate and respond to HIPAA and other data breaches, advises on regulatory compliance including HIPAA, COPPA, PCI DSS, cross-border data transfer, the EU-US Privacy Shield, and other global privacy regulations.
| | |
Jade Davis
Jade provides strategic privacy and cyber-preparedness compliance advice, and defends, counsels, and represents companies on privacy, global data security compliance, data breaches, and investigations. She advises companies on best practices in privacy, cybersecurity, data, mobile, cloud storage, Ad Tech privacy, Internet of Things, and other areas of regulatory compliance.
| | |
Joseph Stepina
Joseph is an Associate in our Little Rock office where he focuses his practice on general liability, premises liability, products liability and data privacy and cybersecurity matters.
|
Lea McBryde
Lea is an associate in our Charlotte office, where she focuses her practice on data privacy and cybersecurity matters.
| | |
Savannah Avera
Savannah is an associate in our Atlanta office, where she protects the rights of clients in health care and cyberspace.
| | | | | |